Endpoint Protection Small Business Edition

 View Only

  • 1.  Help Decyphering Tamper Protection Log Symantec Endpoint Protection

    Posted Mar 10, 2015 04:47 PM
      |   view attached

    I have the below logs

     

    I collected the Tamper Protection log from Symantec Endpoint Protection Manager in Symantec Endpoint Protection 12.1 and wondered if someone could help me decypher what they mean? Are they interfering with the wepsvc.exe service or is wepsvc.exe interfering with Symantec Endpoint? What would you recommend being the next step to resolve this? I attached the full log for download.

     

    Time Stamp

    		 Event Type Event Time Severity Host Name Action Test Mode Description API Encoded API Name Begin Time End Time Rule ID Rule Name Caller Process ID Caller Process Name Return Address Return Module Target Alert Send Snmp Trap User Name File Size Device ID IP Address Domain Name Site Name Server Name Group Name Computer Name Action Type Repetition
    3/9/2015 15:31 Tamper Protection 3/9/2015 13:51 Minor NH90000-806 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe 3/9/2015 13:51 3/9/2015 13:54     7288 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA NH90000-806 Block 2
    3/9/2015 12:51 Tamper Protection 3/9/2015 12:45 Minor NH90000-399 Block 0 C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\Smc.exe 3/9/2015 12:45 3/9/2015 12:45     9984 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\Smc.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA\CORPORATE\IT_R+D NH90000-399 Block 1
    3/9/2015 12:51 Tamper Protection 3/9/2015 12:45 Minor NH90000-399 Block 0 C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 3/9/2015 12:45 3/9/2015 12:45     9984 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA\CORPORATE\IT_R+D NH90000-399 Block 1
    3/9/2015 12:51 Tamper Protection 3/9/2015 12:45 Minor NH90000-399 Block 0 C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 3/9/2015 12:45 3/9/2015 12:45     9984 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA\CORPORATE\IT_R+D NH90000-399 Block 1
    3/9/2015 12:59 Tamper Protection 3/9/2015 12:32 Minor NH90000-411 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe 3/9/2015 12:32 3/9/2015 12:32     4720 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA\TEST-HELENA\SYMANTEC UPGRADE TEST NH90000-411 Block 1
    3/9/2015 12:59 Tamper Protection 3/9/2015 12:32 Minor NH90000-411 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe 3/9/2015 12:32 3/9/2015 12:32     4720 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA\TEST-HELENA\SYMANTEC UPGRADE TEST NH90000-411 Block 1
    3/9/2015 14:37 Tamper Protection 3/9/2015 10:29 Minor NH90000-806 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe 3/9/2015 10:29 3/9/2015 10:29     7288 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA NH90000-806 Block 1
    3/9/2015 14:37 Tamper Protection 3/9/2015 10:29 Minor NH90000-806 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 3/9/2015 10:29 3/9/2015 10:29     7288 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA NH90000-806 Block 1
    3/9/2015 15:31 Tamper Protection 3/9/2015 10:29 Minor NH90000-806 Block 0 C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 3/9/2015 10:29 3/9/2015 13:54     7288 C:\PROGRAM FILES\WEBSENSE\WEBSENSE ENDPOINT\WEPSVC.EXE     C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe 1   SYSTEM     ... Default HELENA-SEP HCC-SEPM My Company\HELENA NH90000-806 Block 5


  • 2.  RE: Help Decyphering Tamper Protection Log Symantec Endpoint Protection
    Best Answer

    Posted Mar 11, 2015 01:49 PM

    please check below articles

    What should I do when I get a Tamper Protection Alert?

    http://www.symantec.com/business/support/index?page=content&id=TECH97931

    How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

    http://www.symantec.com/business/support/index?page=content&id=TECH92553

     

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55213



  • 3.  RE: Help Decyphering Tamper Protection Log Symantec Endpoint Protection
    Best Answer

    Posted Mar 11, 2015 03:56 PM

    Yes it looks like that process is trying to tamper with the SEP service. If this is legit, you can create an exception for it

    Creating a Tamper Protection exception